Shellshock a.k.a. Bashdoor / Bash bug

Slides:



Advertisements
Similar presentations
CGI & HTML forms CGI Common Gateway Interface  A web server is only a pipe between user-agents  and content – it does not generate content.
Advertisements

Adding Dynamic Content to your Web Site
Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.
Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.
PZ15A Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ15A - The Internet Programming Language Design and.
Python and Web Programming
Guide To UNIX Using Linux Third Edition
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
CGI Programming Languages Web Based Software Development July 21, 2005 Song, JaeHa.
8/17/2015CS346 PHP1 Module 1 Introduction to PHP.
1 ‘Dynamic’ Web Pages So far, we have developed ‘static’ web-pages, e.g., cv.html, repair.html and order.html. There is often a requirement to produce.
CGI Common Gateway Interface. CGI is the scheme to interface other programs to the Web Server.
Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.
1 Homework / Exam Exam 3 –Solutions Posted –Questions? HW8 due next class Final Exam –See posted schedule Websites on UNIX systems Course Evaluations.
Introduction to PHP and Server Side Technology. Slide 2 PHP History Created in 1995 PHP 5.0 is the current version It’s been around since 2004.
Overview A plain HTML document is static A CGI program is executed in real-time, so that it can output dynamic information. CGI (Common Gateway Interface)
CP3024 Lecture 3 Server Side Facilities. Lecture contents  Server side includes  Common gateway interface (CGI)  PHP Hypertext Preprocessor (PHP) pages.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
AIT 616 Fall 2002 PHP. AIT 616 Fall 2002 PHP  Special scripting language used to dynamically generate web documents  Open source – Free!!!  Performs.
1 HTML and CGI Scripting CSC8304 – Computing Environments for Bioinformatics - Lecture 10.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Chapter 33 CGI Technology for Dynamic Web Documents There are two alternative forms of retrieving web documents. Instead of retrieving static HTML documents,
Internet / Intranet Fall 2000 Class 7. Brandeis University Internet/Intranet Spring Class 7 Agenda Project / Homework Discussion Forms Validating.
Internet / Intranet CIS-536 Class 7. 2 HTML Forms A Method to Allow Users to Pass Information to a CGI Script Forms Allow Information to Be Entered Via:
An Introduction to Unix Shell Scripting
2 1 Sending Data Using a Hyperlink CGI/Perl Programming By Diane Zak.
Python CGI programming
Introduction to Programming the WWW I CMSC Summer 2004 Lecture 6.
USING PERL FOR CGI PROGRAMMING
CSU - DCE Advanced Perl CGI Operation - Fort Collins, CO Copyright © XTR Systems, LLC Introduction to the Common Gateway Interface (CGI) on the.
Java CGI Lecture notes by Theodoros Anagnostopoulos.
20-753: Fundamentals of Web Programming Copyright © 1999, Carnegie Mellon. All Rights Reserved. 1 Lecture 7: HTTP and CGI Fundamentals of Web Programming.
CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.
10/13/2015 ©2006 Scott Miller, University of Victoria 1 Content Serving Static vs. Dynamic Content Web Servers Server Flow Control Rev. 2.0.
Linux+ Guide to Linux Certification Chapter Eight Working with the BASH Shell.
Chapter 9: Perl and CGI Programming CGI Programming Acknowledgement: Some materials are taken from Teach Yourself CGI Programming with PERL 5 in a Week.
Chapter 6 Server-side Programming: Java Servlets
1 © Copyright 2000 Ethel Schuster The Web… in 15 minutes Ethel Schuster
CGI Common Gateway Interface. CGI is the scheme to interface other programs to the Web Server.
Perl: Lecture 2 Advanced RE & CGI. Regular Expressions 2.
A Tale of Two Bugs. This Fall has been bad Let’s look at two CVE AKA “Shellshock” CVE AKA “Drupalgeddon”
Intro to PHP IST2101. Review: HTML & Tags 2IST210.
PHP Open source language for server-side scripting Works well with many databases (e.g., MySQL) Files end in.php,.php3 or.phtml Runs on all major platforms.
Introduction to CGI/Perl Please use speaker notes for additional information!
Form Data Encoding GET – URL encoded POST – URL encoded
ASP. What is ASP? ASP stands for Active Server Pages ASP is a Microsoft Technology ASP is a program that runs inside IIS IIS stands for Internet Information.
David Lawrence 7/8/091Intro. to PHP -- David Lawrence.
ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7
 2001 Prentice Hall, Inc. All rights reserved. Chapter 7 - Introduction to Common Gateway Interface (CGI) Outline 7.1Introduction 7.2A Simple HTTP Transaction.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
ASP. ASP is a powerful tool for making dynamic and interactive Web pages An ASP file can contain text, HTML tags and scripts. Scripts in an ASP file are.
CS 330 Class 8 Homework A pattern that contains a word with an optional period A pattern that contains Fred with a space (not Freddy) See regexp.txt guest4.htm.
Introduction to CGI PROG. CGI stands for Common Gateway Interface. CGI is a standard programming interface to Web servers that gives us a way to make.
IST 210: PHP Basics IST 210: Organization of Data IST2101.
Linux Administration Working with the BASH Shell.
Lesson 11. CGI CGI is the interface between a Web page or browser and a Web server that is running a certain program/script. The CGI (Common Gateway Interface)
1 The Internet Programming Language Design and Implementation (4th Edition) by T. Pratt and M. Zelkowitz Prentice Hall, 2001 Section
University of Kansas Department of Electrical Engineering and Computer Science Dr. Susan Gauch April 21, 2005 I T T C Introduction to Web Technologies.
The Common Gateway Interface (CGI) Pat Morin COMP2405.
Shellshock a.k.a. Bashdoor / Bash bug
CS 330 Class 7 Comments on Exam Programming plan for today:
CGI I: Basics Web Programming.
CGI CS422 Dick Steflik.
Introduction to Programming the WWW I
World Wide Web Components
Shellshock a.k.a. Bashdoor / Bash bug
CGI I: Basics Web Programming.
MSc Internet Computing
SHELLSHOCK ATTACK.
Presentation transcript:

Shellshock a.k.a. Bashdoor / Bash bug Bruce Maggs

Bash Shell Released June 7, 1989. Unix shell providing built-in commands such as cd, pwd, echo, exec, builtin Platform for executing programs Can be scripted

Environment Variables Environment variables can be set in the Bash shell, and are passed on to programs executed from Bash export VARNAME=“value” (use printenv to list environment variables)

Environment variable settings in cygwin bash shell listed using printenv

Stored Bash Shell Script An executable text file that begins with #!program Tells bash to pass the rest of the file to program to be executed. Example (pass a list of commands to bash): #!/bin/bash export STR="Hello World!" echo $STR

Hello World! Example

Dynamic Web Content Generation Web Server receives an HTTP request from a user. Server runs a program to generate a response to the request. Program output is sent to the browser.

Common Gateway Interface (CGI) Oldest method of generating dynamic Web content (circa 1993, NCSA) Operator of a Web server designates a directory to hold scripts (typically PERL) that can be run on HTTP GET, PUT, or POST requests to generate output to be sent to browser.

CGI Input PATH_INFO environment variable holds any path that appears in the HTTP request after the script name QUERY_STRING holds key=value pairs that appear after ? (question mark) Most HTTP headers passed as environment variables In case of PUT or POST, user-submitted data provided to script via standard input

CGI Output Anything the script writes to standard output (e.g., HTML content) is sent to the browser.

Example Script (Wikipedia) Bash script that evokes PERL to print out environment variables #!/usr/bin/perl print "Content-type: text/plain\r\n\r\n"; for my $var ( sort keys %ENV ) { printf "%s = \"%s\"\r\n", $var, $ENV{$var}; } Put in file /usr/local/apache/htdocs/cgi-bin/printenv.pl Accessed via http://example.com/cgi-bin/printenv.pl

Windows Web server running cygwin http://example.com/cgi-bin/ printenv.pl/foo/bar?var1=value1&var2=with%20percent%20encoding DOCUMENT_ROOT="C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs“ GATEWAY_INTERFACE="CGI/1.1“ HOME="/home/SYSTEM" HTTP_ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8“ HTTP_ACCEPT_CHARSET="ISO-8859-1,utf-8;q=0.7,*;q=0.7" HTTP_ACCEPT_ENCODING="gzip, deflate“ HTTP_ACCEPT_LANGUAGE="en-us,en;q=0.5“ HTTP_CONNECTION="keep-alive“ HTTP_HOST="example.com“ HTTP_USER_AGENT="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0" PATH="/home/SYSTEM/bin:/bin:/cygdrive/c/progra~2/php:/cygdrive/c/windows/system32:...“ PATH_INFO="/foo/bar“ QUERY_STRING="var1=value1&var2=with%20percent%20encoding

Shellshock Vulnerability Function definitions are passed as environment variables whose values begin with () Error in environment variable parser: executes “garbage” characters after function definition. Vulnerability has been present since version 1.03 of Bash, which was released in September 1989.

Cygwin Bash Shell Shows Vulnerability Exact syntax matters!

Alternatively

Another Alternative

Crux of the Problem Any environment variable value can contain a function definition with extraneous trailing characters that the Bash parser will execute before it runs a program. Environment variables can be inherited from other parties, who can thus inject code that Bash will execute.

Web Server Exploit Send Web Server an HTTP request for a script with an HTTP header such as HTTP_USER_AGENT set to '() { :;}; echo vulnerable' Before the Bash shell runs the script it will evaluate the environment variable HTTP_USER_AGENT and run the echo command

Purported WopBot Attack on Akamai There have been news reports indicating that Akamai was a target of a recent ShellShock-related BotNet attack. (See information about WopBot). Akamai did observe DDOS commands being sent to a IRC-controlled botnet to attack us, although the scale of the attack was insufficient to trigger an incident or need for remediation. Akamai was not compromised, nor were its customers inconvenienced.  We receive numerous attacks on a daily basis with little or no impact to our customers or the services we. https://blogs.akamai.com/security/